You know what’s vulnerable on your network. You know the critical system patches needed. You are ready to prevent any opportunity for your business to go viral on social media as an example of ‘what not to do’. When submitting for approval from senior or non-technical executives for the resources to proceed, though, how can you compel them to consider your case with the same importance? To prevent them from thinking that for now, the current state of the network will just have to be ‘good enough’?
Presenting the network security risks in the form of technical data and metrics, or acronyms and technical jargon alone, perhaps may not win the buy-in you hope to gain. Nevertheless, even a well explained case that presents the risks and impacts on IT resources in understandable terms, may still not garner approval or share mutual values. The key is business alignment, as explained in this discussion from Gartner, to show the high level business impact of any of these risks that are not managed.
One way to convey the true business impact, not just that of IT operations, is to examine a performance model process regarding the delivery of a particular product or service from your business. As you develop this examination, include with each step of the process the potential risks.
For example, presenting the number of times the business was attacked in cyberspace in the previous month might seem like a red alert to some. To others, though, it may seem to be more of a headache that IT can continue to handle without major impact to production. Taking a different angle, presenting the number of unpatched vulnerabilities to critical systems may also catch the attention of some. For others, though, the correlation between any one of those critical systems and business production may need more explanation.
More explanation of what? Discuss the impact on a business unit when a vulnerable system goes down. What business unit processes are interrupted? How long until the processes can resume? How many hours of employee productivity will be lost and multiplied by how many employees? How much output or income could be lost?
As you consider your audience, start from their level and specific business outcomes that are important to them. Next, consider what processes support those outcomes, and what performance indicators make or break the fulfillment of these processes. On what do these processes depend, and how do IT operations matter to these dependencies? Now you have made the connection from the business impact over to the risks you need to absolve.
Remember, if you do not interpret the data for your audience, your audience may interpret the data in a way different from your intention. Data and jargon surrounding the vulnerabilities and necessary updates on IT systems is imperative for the IT professional to know, but aligning these with the business impacts is a vital step towards presenting a compelling case for greater approval.